Claude/check project completion 01 n kbqv mw be tx h342 cn11w xz#10
Merged
Co0ob1iee merged 2 commits intoDec 8, 2025
Merged
Conversation
Implements critical security hardening for Aegis Messenger backend: ## CRIT-001: Persistent Signal Protocol Store - Replace InMemorySignalProtocolStore with DatabaseSignalProtocolStore - Add encrypted storage for sessions, pre-keys, signed pre-keys - Implement AES-256-GCM encryption for all sensitive key material - Add session expiration (30 days) and automatic cleanup ## CRIT-002: Secure JWT Configuration - Remove hardcoded JWT secret key - Add mandatory configuration validation - Require minimum 64-character key length - Application fails to start without proper JWT configuration ## HIGH-001: Rate Limiting - Add RateLimitingMiddleware for all endpoints - Configure strict limits for auth endpoints (5 login/min, 3 register/min) - Add X-RateLimit-* response headers - Return 429 Too Many Requests when exceeded ## HIGH-002: CORS Policy Hardening - Remove AllowAnyOrigin() policy - Implement AegisPolicy with explicit allowed origins - Separate DevelopmentPolicy for local development - Configure via appsettings.json ## HIGH-006: Security Headers - Add SecurityHeadersMiddleware with comprehensive headers - Content-Security-Policy, X-Frame-Options, X-Content-Type-Options - Permissions-Policy, Referrer-Policy - Cache-Control: no-store for API responses ## MED-001: Global Exception Handler - Add GlobalExceptionMiddleware - Prevent information disclosure in production - Consistent error response format with trace IDs - Full stack traces only in development New files: - Aegis.Backend/Middleware/*.cs (3 middleware classes) - Aegis.Core/Cryptography/SignalProtocol/DatabaseSignalProtocolStore.cs - Aegis.Data/Entities/SignalProtocolEntities.cs - Aegis.Data/Services/SessionEncryptionService.cs - Aegis.Data/Repositories/SignalProtocolRepository.cs - appsettings.json, appsettings.Development.json - PHASE1_SECURITY_FIXES.md (documentation) Breaking changes: - JWT Key must now be configured (no default) - CORS requires explicit origin configuration
Implements Phase 2 security improvements and infrastructure enhancements: ## Input Validation (FluentValidation) - Add RegisterRequestValidator with strict password policy: - Minimum 12 characters - Require uppercase, lowercase, digit, special character - Block common password patterns - SQL injection prevention - Add LoginRequestValidator - Add SendMessageRequestValidator with size limits - Add FileUploadRequestValidator with MIME type whitelist ## Account Lockout (HIGH-005) - Add AccountLockoutService with progressive lockout - 5 failed attempts -> 15 minute lockout (increases with each lockout) - Protect against brute force and enumeration attacks - Add constant-time delays to prevent timing attacks ## Health Checks - Add DatabaseHealthCheck with response time monitoring - Add SignalRHealthCheck - Add DiskSpaceHealthCheck - Add MemoryHealthCheck - Expose /health, /health/ready, /health/live endpoints ## Background Services - Add SessionCleanupService - removes expired sessions hourly - Add UserStatusService - marks inactive users as offline - Add DatabaseHealthMonitorService - monitors DB connectivity ## CI/CD Pipeline (GitHub Actions) - Add build & test workflow - Add security vulnerability scanning - Add code quality checks (dotnet format) - Add Docker build step for main branch ## AuthController Improvements - Integrate FluentValidation - Integrate AccountLockoutService - Add structured error responses - Add 423 Locked status for locked accounts - Log IP addresses for security auditing New files: - .github/workflows/dotnet-ci.yml - Aegis.Backend/HealthChecks/CustomHealthChecks.cs - Aegis.Backend/Services/AccountLockoutService.cs - Aegis.Backend/Services/BackgroundServices.cs - Aegis.Backend/Validators/RequestValidators.cs Modified files: - Aegis.Backend/Controllers/AuthController.cs - Aegis.Backend/Program.cs
Co0ob1iee
added a commit
that referenced
this pull request
Dec 8, 2025
Merge pull request #10 from Co0ob1iee/claude/check-project-completion…
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.